Vulnerability Research Grant Rules

In January 2015 we launched a new experimental program called Vulnerability Research Grants
to complement our long-running Vulnerability Reward Program, with the goal of rewarding
security researchers that look into the security of Google products and services even in
the case when no vulnerabilities are found.

The program is intended for our top performing, frequent vulnerability researchers as well
as invited experts, and we hope it will allow us to reward the security researchers time
and attention including the situations when they don't find any vulnerabilities. If, as a
result of the grant, a vulnerability is found, then it will also be eligible for a reward
under our Vulnerability Reward Program.

List of Vulnerability Research Grants

Newly launched services and features

This grant is for security research on newly launched features and products. (We will share
a list of recently launched products once the grant is awarded.)

Aimed at rewarding researchers looking for new research targets, and curious on what was
recently launched by Google. Note the Google product security team reviews new products and
services before launch, but we want to support external research and scrutiny.

Grant amounts will vary from $500 USD up to $3,133.7

Sensitive product security research

This grant is for security research on an existing Google product considered particularly
sensitive (Services listed as Highly Sensitive
Services in our VRP page.)

The Google security team works actively with products that are hosted in sensitive HTTP
Origins, or that handle particularly sensitive data. However, since a small mistake could
have grave consequences, we would like to reward additional efforts spent researching their
security.

Grant amounts will vary from $1,337 USD up to $3,133.7

Security improvement efficacy research

This grant is for security research on a recently fixed vulnerability in a product or
Google wide (Details of these grants will be made available in our Google+ community.)

After every vulnerability report we receive, we perform a thorough root cause and variant
analysis, as well as work with the team to prevent similar vulnerabilities from recurring
in their product. If we identify the problem to be a common anti-pattern we work on fixing
the issue Google-wide and preventing the issue for all future Google products. We welcome
scrutiny on the efficacy of our efforts, and would like to recognize the time spent on this
research.

Grant amounts will vary from $1,337 USD up to $3,133.7

Application Process

Existing VRP reporters can apply for a grant by filling out the form below which the
vulnerability reward program panel will review and issue research grants. All selected
applicants will receive an email with further information.

Once the applicant concludes the research, we ask that the researcher fill out an optional
survey which we will use to learn about the vulnerability research done. We hope to use
this information to understand the difficulty of finding vulnerabilities in different
products.

The final grant amount is always chosen at the discretion of the panel. In particular, we
may decide to issue higher grants for specific research proposals; award multiple grants to
the same researcher and only award a single grant for multiple research applications.

We understand that some of you are not interested in money. We offer the option to donate
your grant to an established charity. If you do so, we will double your donation - subject
to our discretion. Any grants that are unclaimed after 12 months will be donated to a
charity of our choosing.

Application Form

Existing VRP reporters should apply using the same Google account / email they have used in
the past to report vulnerabilities here.

Once the application is accepted, details of the grant will be sent by email.

Frequently Asked Questions

Q: How much time should I spend once I receive a reward?
A: The grant application includes both, the grant amount and the research it's intended
for, which should give you a rough approximation.

Q: What if I don't find any vulnerabilities?
A: The goal of the grants is to support research looking for vulnerabilities, so we
definitely expect that often no vulnerabilities will be found. Receiving a grant and not
finding anything doesn't affect your chances of receiving a new one. The information in the
survey of what you looked at and the results will be valuable for us.

Q: What is the purpose of the end-of-research survey?
A: We want to be able to understand how the program is used and how it affects the security
researchers participating on it. We launched this program to reward security research (as
opposed to the identification of specific vulnerabilities) , but understand there are
implicit challenges on changing the structure in this way. As such, we want to make sure we
gather feedback. In addition, we want to know what properties were looked at to better
understand which properties have received a lot of external scrutiny.

Q: What if I don't receive the grant?
A: We expect to have a large number of grant applications at first, so please be patient.
Also note that not all applications will be accepted. The panel will prioritize
applications by researchers who have received awards in the existing VRP program.

Q: Why not simply increase the rewards?
A: We decided to try something different that was also aimed at rewarding researchers’ time
in situations when they pentest services that are likely not to result in vulnerabilities,
as we believe we also have benefit in knowing about products were finding bugs was hard.

Q: Can I blog about the results of my research?
A: The same rules for the VRP apply here. We would appreciate it if you told us privately
about what you find in your research, as well as give us a chance to fix the bugs before
making any vulnerabilities public.

Legal points

We are unable to issue grants to individuals who are on sanctions lists, or who are in
countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are
responsible for any tax implications depending on your country of residency and
citizenship. There may be additional restrictions on your ability to enter depending upon
your local law.

This is not a competition, but rather an experimental and discretionary grants program. You
should understand that we can cancel the program at any time and the decision as to whether
or not to pay a reward is entirely at our discretion.

Of course, your research and testing must not violate any law, or disrupt or compromise any
data that is not your own.